Did a PR firm's lapse give hackers keys to Pfizer Facebook page?

Contrary to reports, hackers' brief takeover of the Pfizer Facebook page was probably not due to a security lapse by the social networking giant, security experts say.

The hacktivist group claiming responsibility for Tuesday night's break-in, the Script Kiddies, posted the picture of an agency employee they declared was in charge of the page. “Hint for next time: protect this company with a little better security,” they scrawled on the wall before Pfizer regained control some time later.

In the face of that evidence, the pharma-marketing blogosphere has been ablaze with the theory that Facebook was the source of the breach. “I'm not sure how that's true,” said Dan Kaplan, executive editor of SC Magazine, the IT security publication and sister title of MM&M. “You would assume they'd have to steal the credentials from [Pfizer, or those responsible for running its Facebook page]. Whether they could do it through a hole in Facebook, I'm not entirely sure.”

Kaplan's hunch was supported by Graham Cluley, senior technology consultant at worldwide computer security firm Sophos, who blogs at nakedsecurity.sophos.com. Indeed, traces left by the hackers make it unlikely the social network was responsible for the illict entry, according to Cluley.

Their online graffiti included a link to the profile of an employee of WCG, the PR firm which, according to the agency's website, handles some corporate communications and interactive duties for Pfizer. (The site does not specify whether that includes social media, but the employee's LinkedIn profile lists Pfizer as a social media client.)

“My suspicion is this page got hacked because [the employee] was sloppy with his security,” Cluley told MM&M. “If I were investigating this hack, the very first thing to do would be to look at the security of the page's administrators and in particular their passwords. That's where my money would be.”

For someone to do what they did on this page, which was take over as administrator and deface it (no confidential information about the company or any individuals were at risk during the incident, Pfizer said), first they would need a Facebook password. Lists of compromised names and passwords have been posted quite frequently by hacktivist gangs like LulzSec and Anonymous in huge data dumps on a site called Paste Bin, said Cluley.

If the employee referred to was in fact the administrator for Pfizer's Facebook page, and his name and password had been hacked and already posted elsewhere online, the hackers could have found it and used it to open the Facebook account, Cluley speculated.

That's not such a long shot. Many web users, Cluley noted, are lax with creating separate passwords, citing a stat that 30% of people use the same password for every single site they access. “In this case the chap was responsible not only for his own online ID but for the brand of a very well-known company, so it's done damage to [the brand],” he said.

UPDATE: A Facebook spokesperson said the company doesn't comment on specific cases. Pfizer said it's in contact with Facebook to “understand how this incident occurred to ensure it doesn't happen again.”

Perhaps the drugmaker's official investigation may lead elsewhere, as the Script Kiddies tweeted a day later in reference to the slip-up: “So apparently, the articles are all claiming the security breach on Pfizer's page was Facebook's fault? No... thank Pfizer and Pfizer only.”